1. Digitally signed automatic security updates.

If a security vulnerability is ever discovered in Airship, the patch
will automatically be applied in your website within an hour of being
released by our team.

All security updates will be digitally signed with a secret key to
guarantee authenticity; the associated public key is packaged with the
default Airship configuration. The digital signature algorithm we use is
Ed25519 (facilitated by libsodium).

We take extra care when handling our secret key; should it ever be
compromised, we will use our backup key to revoke the old one and
replace it with a new one.

You can disable the auto-update feature from the Bridge, but we do not
recommend doing this.

You can also choose to trust someone else's mirrors and public key
instead of ours. The code is completely open, but you only need change a
JSON configuration file to decide to trust someone else.

2. The community is always in control of any add-ons it produces.

Airship offers three strategies for extending its base features:

Cabins, which are entire applications (see #3 below).

Gadgets, which are plugins that can be applied at a per-Cabin level
or across every Cabin in your ship.

Motifs, which change the look and feel of your Airship.

All Cabins, Gadgets, and Motifs can be assigned to a vendor (which has
its own Ed25519 key pair), and that supplier has control of the
distribution of automatic updates.

This gives you, the supplier, control over your add-ons, not us.
Neither the Airship development team nor Paragon Initiative Enterprises
can prevent your users from installing, updating, or using any add-on.

We can still de-list abusive add-ons from the official SkyPort, but
anyone can operate their own and we will always aspire to make switching
to an alternative SkyPort as easy as pie.

Most importantly: Anyone can be a supplier; we don't believe in erecting
barriers to entry.

3. Supports a multi-site architecture out of the box.

Each Cabin is its own website. Install as many Cabins as you need. No
questionable hacks needed.

4. Designed by progressive-minded application security professionals.

5. Our Gear system allows the framework to be extended.

Because of our auto-updater, any local changes made to the Engine files
will be obliterated whenever an upstream change occurs. To allow users
to extend and customize the core classes to meet their needs, we
designed our application around the Gears system.

Most of the core Engine classes can be extended at runtime by the
extensions you create (or install from the community). Instead of
accessing the core classes directly, load the latest version of the Gear
(which could be our code, or yours).

The Security Benefits of using Airship

Use TLS (if you use Caddy,
this is automatic in production environments).

Don't disable automatic updates.

Use a strong password.
* and/or two-factor authentication

That's it. You don't need to jump through a dozen hoops to prevent your website
from being used by criminals to distribute malware or launch Distributed Denial
of Service attacks. Even if our infrastrucutre is compromised, your Airship is
protected by strong cryptography.

Vulnerabilities we Prevent

What follows is a list of security vulnerabilities you will almost certainly
never have to worry about if you use CMS Airship.

Malicious File Uploads
* Airship uses a virtual filesystem that offers read-only access (and only
to authorized users) to uploaded files. Files will never execute in the
server nor in your browser.

SQL Injection is effectively mitigated by our use of prepared
statements in nearly every context. Where prepared statements aren't
used, a typecast to int or strict whitelist of allowed characters is
enforced instead.

Insecure Session Management
* If you use HTTPS, all cookies are only sent over HTTPS.
Additionally, we supportHypertext-Strict-Transport-Security* and
HTTP Public-Key-Pinning out of the box.

Cross-Site Scripting (XSS) is mitigated on two fronts:
Output Escaping(rather thanInput* escaping) practively
prevents most XSS vulnerabilities from even occurring.
Content-Security-Policy headers* act as a second line of defense
for browsers. This is an exploit mitigation feature which should not
be relied on. It's like a seatbelt for your passengers.

Sensitive Data Exposure
* When an exception occurs, we hide passwords and other sensitive infromation
from stack traces.

Missing Function Level Access Control
* Airship has comprehensive yet simple access controls management baked in:
* Hierarchical group-based and user-based access controls
* Multi-site architecture where each site has its own permissions matrix
* Groups can inherit permissions in a hierarchy
* Permission can be granted to groups or users
* The UX for all of the above is simple and intuitive

Insecure Cryptographic Storage is a non-issue; we make full use of
the Sodium cryptographic library (through Paragon Initiative
Enterprise's Halite API).
Passwords* hashed with Argon2i then encrypted with an
authenticated encryption feature (Xsalsa20 + keyed BLAKE2b)

Password-Hashing Denial of Service Attack and/or Login Brute-Force
* We rate-limit failed login requests based on IP range and username. Each
successive attempt incurs a progressive delay up to a configurable maximum.

Security Misconfiguration
* We ship with secure defaults. While you can always weaken security through
customization, we ship a secure product.